For the exploit, the researchers first modified an Alexa speaker they controlled, swapping out some of its soldered-on components to allow them to compromise it. This became the device they used to attack other, unmodified Alexas: by joining their doctored Alexa to the same LAN as an unmodified second-generation Alexa device, they could use the built in "Whole Home Audio" system to turn their speaker into a listening bug that relayed all the audio from the target Alexa speakers, without those target devices giving any indication that they were transmitting.

The researchers disclosed their attack to Amazon prior to their presentation, and Amazon has already pushed a patch that addresses it to current Alexa owners.

This attack is a very difficult-to-replicate feat, but it represents an early step in exploiting the Alexas, with more likely to come. It has serious implications for environments with lots of shared Alexa devices, such as the plan to put Alexa devices in hotels -- a hacker using this technique could potentially spy on all the guests in the hotel.

The researchers also hinted at potential "evil maid" attacks on Alexa (in which someone with a short period of physical access to a device implants malware on it), noting that it only took minutes for them to change the firmware on an Alexa speaker.

The presentation is also suggestive of the kinds of attacks that state actors ("advanced persistent threats") might bring to bear on their targets.

The researchers' attack, though already patched, demonstrates how hackers can tie together a devious collection of tricks to create an intricate multistep penetration technique that works against even a relatively secure gadget like the Echo. They start by taking apart an Echo of their own, removing its flash chip, writing their own firmware to it, and re-soldering the chip back to the Echo's motherboard. That altered Echo will serve as a tool for attacking other Echoes: Using a series of web vulnerabilities in the Alexa interface on Amazon.com that included cross-site scripting, URL redirection, and HTTPS downgrade attacks—all since fixed by Amazon—they say that they could link their hacked Echo with a target user's Amazon account.

If they can then get that doctored Echo onto the same Wi-Fi network as a target device, the hackers can take advantage of a software component of Amazon's speakers, known as Whole Home Audio Daemon, that the devices use to communicate with other Echoes in the same network. That daemon contained a vulnerability that the hackers found they could exploit via their hacked Echo to gain full control over the target speaker, including the ability to make the Echo play any sound they chose, or more worryingly, silently record and transmit audio to a faraway spy.

Noah Rotem got an intriguing error message from El Al's reservation system ("PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE*) and by tugging at the loose thread it revealed, he was able to view any "Passenger Name Record" in El Al's system, allowing him to "make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update […]

These days, there isn’t much our iPhone camera can’t do – except feel like an actual phone. Despite years of steadily increasing resolution and image sensing technology, we’re still taking shots awkwardly with two hands, fumbling for the shutter button. Leave it to an avid photographer to design Shuttercase, a versatile iPhone case that solves […]

Still determined to keep those New Year’s health resolutions? If you’re going to stick with the exercise plan, it’s enough of a challenge to budget your time. No need for your financial budget to take a hit, too. Here’s a more convenient – and cheaper – alternative to a gym membership or Peloton bike: Two […]

Want a career in web design? It’s true that these days, most anyone can throw up a page or two. But for true workhorse web design, you’ll sometimes need to match the platform to the project. Enter the Complete Front-End Developer Bundle, an educational grand tour around the best tools for the web. For beginners, […]